Cybersecurity system for outbound roaming in a wireless telecommunications network

ABSTRACT

An outbound roaming system detects that a wireless device has left a home wireless network and, in response, identifies a visited wireless network on which the wireless device is likely to roam or is currently roaming. The outbound roaming system queries the visited wireless network to offer security information for the wireless device. The security information can include a security parameter for the visited wireless network to mitigate a potential cyberattack enabled by the wireless device. In response to receiving an acceptance of the offer and satisfying a condition, the outbound roaming system provides the security information to the visited wireless network. As such, the visited wireless network can dynamically defend against cyberattacks enabled by roaming devices.

BACKGROUND

In telecommunications, 5G is the fifth-generation technology standardfor cellular networks, the successor to 4G networks, which provideconnectivity to most current mobile phones. Like its predecessors, theservice area of 5G networks is divided into geographical areas calledcells. The wireless devices in a cell are connected to internet andtelephone networks by radio waves through a local antenna in the cell. Amain advantage of 5G networks is greater bandwidth, yielding higherdownload speeds, eventually up to 10 gigabits per second (Gbit/s). Dueto the increased bandwidth, 5G networks can also serve as generalinternet service providers (ISPs) and will make possible newapplications in internet-of-things (IoT) and machine-to-machine (M2M)areas.

5G introduces a new era of cybersecurity threats because, among otherthings, it enables communications and access of vastly higher volumesand types of data relative to prior generation technologies, and thusbroadens the possibility of cyberattacks. For example, the risk of databreaches or leaks of personal data can increase because user credentialsthat are readily communicated on networks can be stolen and used to gainaccess to private information available through applications andservices. Thus, victims can readily have their personal or privateinformation like social security numbers, addresses, date of births,driver license numbers, and other personal data compromised.

Although most interconnected devices on networks are safe, dependable,and reliable, 5G wireless networks create a greater number ofvulnerabilities to, for example, malware compared to other communicationnetworks. Malware refers to any software that is intentionally designedto cause damage to a computer, server, client, or network. A widevariety of malware types exist, including viruses, worms, Trojan horses,ransomware, spyware, adware, rogue software, and scareware. Thesevulnerabilities and others cannot be addressed with conventionaltechniques because widespread deployment of security resources acrossdiverse networks and devices is cost-prohibitive, resource intensive,and impractical. Thus, effective and targeted safeguards are desired.

BRIEF DESCRIPTION OF THE DRAWINGS

Embodiments of the present technology will be described and explainedthrough the use of the accompanying drawings.

FIG. 1 is a block diagram that illustrates a wireless communicationssystem that can implement aspects of the present technology.

FIG. 2 is a block diagram that illustrates an architecture of networkfunctions of a 5G network that can implement aspects of the presenttechnology.

FIG. 3 is a block diagram that illustrates interconnections ofinterworking networks to support roaming services.

FIG. 4 is a flow diagram that illustrates a method performed by aninterworking system to thwart a cyberattack that arises due toasymmetric security information between interconnected networks.

FIG. 5 is a flowchart that illustrates a method performed by an inboundroaming system of a visited network to thwart a potential cyberattack.

FIG. 6 is a flowchart that illustrates a method performed by an outboundroaming system to aid a visited network in thwarting a potentialcyberattack.

FIG. 7 is a block diagram that illustrates an example of a computingsystem in which at least some operations described herein can beimplemented.

Various features of the technologies described herein will become moreapparent to those skilled in the art from a study of the DetailedDescription in conjunction with the drawings. Embodiments areillustrated by way of example and not limitation in the drawings, inwhich like references may indicate similar elements. While the drawingsdepict various embodiments for the purpose of illustration, thoseskilled in the art will recognize that alternative embodiments may beemployed without departing from the principles of the technologies.Accordingly, while specific embodiments are shown in the drawings, thetechnology is amenable to various modifications.

DETAILED DESCRIPTION

The disclosed technologies address problems that arise from informationasymmetry between multiple wireless service providers or operators ofinterconnected wireless telecommunications networks. In one example,information asymmetry between networks creates security vulnerabilitiesto support roaming wireless devices (“roaming devices”). That is, theasymmetry gives rise to security vulnerabilities enabled or caused by ashared service or roaming devices.

An interconnection refers to a physical or logical connection betweennetworks. The interconnection of two different networks supportsend-to-end service interoperability. The interworking networks refers tothe functionality of two networks to communicate to each other therebyenabling services to be delivered for wireless devices across the twonetworks. Roaming refers to a wireless device (e.g., mobile phone) beingused outside the range of its home wireless network while in a visitednetwork. roaming, a network subscriber can automatically make andreceive voice calls, send and receive data, or access other services,including home data services, when travelling outside a geographicalcoverage area of its home network, by means of using a visited network.A “home network” refers to the wireless network in which the subscriberis registered. A “visited network” refers to a wireless network that asubscriber roams temporarily and is outside the bounds of the homenetwork. For example, if a subscriber travels beyond a home network'stransmitter range, the subscriber's wireless device can automaticallyhop onto a visited network's service, if available.

A network is equipped to support security measures for its own servicesand subscriber devices but not necessarily the services or devices ofother networks. For example, inbound roaming refers to roaming from theperspective of the visited network's operator, which is not fully awareof security risks associated with the home network of a roaming device.Outbound roaming refers to roaming from the perspective of the homenetwork's operator, where the home operator is aware of security risksof its own subscribers that roam in visited networks.

In one example, the disclosed technologies can mitigate the problemsthat arise from information asymmetry between networks by collectingsecurity data from different sources, standardizing that data into avulnerability-risk threat (VRT) model with a common format. Theresulting VRT data reveals security vulnerabilities and capabilitiesthat can be shared among operators to compensate for the informationasymmetry of interconnected networks or with roaming devices. The VRTsecurity model can characterize network traffic according to VRTparameters: a vulnerability relating to a state or condition of anetwork susceptible to a cyberattack; a risk relating to a scope orpotential harm of a cyberattack; and a threat relating to a probabilityor source of a cyberattack.

A cybersecurity system (“system”) for interconnected networks canprocess VRT information related to services or roaming devices andrecommend actions (e.g., block, quarantine, or redirect network traffic)to compensate for the asymmetry of security data. In one example, thecybersecurity system acts as a mediator or information broker that canexchange VRT information to improve the security of interworkingservices or for roaming devices.

The technologies thus create safeguards for interconnected networks fromcyberattacks by addressing the effects of asymmetric security data.Additional techniques are described in the assignee's relatedapplications including US Patent Application) ______, filed December XX,2020, titled “Cybersecurity System for Services of Interworking WirelessTelecommunications Networks,” US Patent Application) ______, filedDecember XX, 2020, titled “Cybersecurity System for Inbound Roaming in aWireless Telecommunications Network,” U.S. patent application Ser. No.16/874,649, filed May 14, 2020, titled “5G Cybersecurity ProtectionSystem Using Personalized Signatures,” U.S. patent application Ser. No.17/021,870, filed Sep. 15, 2020, titled “Visual Voicemail CentralizedAuthentication System for Wireless Networks,” U.S. patent applicationSer. No. 16/945,592, filed Jul. 31, 2020, titled “Cached Entity Profilesat Network Access Nodes to Re-Authenticate Network Entities,” U.S.patent application Ser. No. 16/945,637, filed Jul. 31, 2020, titled“Connectivity Scheduler for NB-10T Devices,” U.S. patent applicationSer. No. 17/007,782, filed Aug. 31, 2020, titled “Wireless Network ThatDiscovers Hotspots for Cyberattacks Based on Social Media Data,” U.S.patent application Ser. No. 16/849,158, filed Apr. 15, 2020, titled“On-Demand Security Layer for a 5G Wireless Network,” and U.S. patentapplication Ser. No. 16/921,765, filed Jul. 6, 2020, titled “SecuritySystem for Managing 5G Network Traffic,” each of which are incorporatedby reference in their entireties for all purposes.

Wireless Communications System

FIG. 1 is a block diagram that illustrates a wireless telecommunicationsystem 100 (“system 100”) in which aspects of the disclosed technologyare incorporated. The system 100 includes base stations 102-1 through102-4 (also referred to individually as “base station 102” orcollectively as “base stations 102”). A base station is a type ofnetwork access node (NAN) that can also be referred as a cell site, abase transceiver station, or a radio base station. The system 100 caninclude any combination of NANs including an access point, a radiotransceiver, a gNodeB (gNB), NodeB, eNodeB (eNB), Home NodeB, a HomeeNodeB, or the like. In addition to being a WWAN base station, a NAN canbe a WLAN access point, such as an IEEE 802.11 access point.

The NANs of a network formed by the system 100 also includes wirelessdevices 104-1 through 104-8 (referred to individually as “wirelessdevice 104” or collectively as “wireless devices 104”) and a corenetwork 106. The wireless devices 104-1 through 104-8 can correspond toor include network entities that are capable of communication usingvarious connectivity standards. For example, a 5G communication channelcan use millimeter waver (mmW) access frequencies of 28 GHz or more. Insome implementations, the wireless device 104 can operatively couple toa base station 102 over an LTE/LTE-A communication channel, which isreferred to as a 4G communication channel.

The core network 106 can provide, manage, or control security services,user authentication, access authorization, tracking, Internet Protocol(IP) connectivity, and other access, routing, or mobility functions. Thebase stations 102 interface with the core network 106 through a firstset of backhaul links 108 (e.g., S1 interfaces) and can perform radioconfiguration and scheduling for communication with the wireless devices104 or can operate under the control of a base station controller (notshown). In some examples, the base stations 102 can communicate, eitherdirectly or indirectly (e.g., through the core network 106), with eachother over a second set of backhaul links 110-1 through 110-3 (e.g., X1interfaces), which can be wired or wireless communication links.

The base stations 102 can wirelessly communicate with the wirelessdevices 104 via one or more base station antennas. The cell sites canprovide communication coverage for geographic coverage areas 112-1through 112-4 (also referred to individually as “coverage area 112” orcollectively as “coverage areas 112”). The geographic coverage area 112for a base station 102 can be divided into sectors making up only aportion of the coverage area (not shown). The system 100 can includebase stations of different types (e.g., macro and/or small cell basestations). In some implementations, there can be overlapping geographiccoverage areas 112 for different service environments (e.g.,Internet-of-Things (IOT), mobile broadband (MBB), vehicle-to-everything(V2X), machine-to-machine (M2M), machine-to-everything (M2X),ultra-reliable low-latency communication (URLLC), machine-typecommunication (MTC)).

In some examples, the system 100 can include a 5G network and/or anLTE/LTE-A network. In an LTE/LTE-A network, the term eNB is used todescribe the base stations 102 and, in 5G or new radio (NR) networks,the term gNBs is used to describe the base stations 102 that include mmWcommunications. The system 100 can form a heterogeneous network in whichdifferent types of base stations provide coverage for variousgeographical regions. For example, each base station 102 can providecommunication coverage for a macro cell, a small cell, and/or othertypes of cells. As used herein, the term “cell” can relate to a basestation, a carrier or component carrier associated with the basestation, or a coverage area (e.g., sector) of a carrier or base station,depending on context.

A macro cell generally covers a relatively large geographic area (e.g.,several kilometers in radius) and can allow unrestricted access bywireless devices with service subscriptions with the network provider.As indicated earlier, a small cell is a lower-powered base station, ascompared with a macro cell, and can operate in the same or different(e.g., licensed, unlicensed) frequency bands as macro cells. Examples ofsmall cells include pico cells, femto cells, and micro cells. Ingeneral, a pico cell can cover a relatively smaller geographic area andcan allow unrestricted access by wireless devices with servicesubscriptions with the network provider. A femto cell covers arelatively small geographic area (e.g., a home) and can providerestricted access by wireless devices having an association with thefemto cell (e.g., wireless devices in a closed subscriber group (CSG),wireless devices for users in the home). A base station can support oneor multiple (e.g., two, three, four, and the like) cells (e.g.,component carriers). All fixed transceivers noted herein that canprovide access to the network are NANs, including small cells.

The communication networks that accommodate various disclosed examplescan be packet-based networks that operate according to a layeredprotocol stack. In the user plane, communications at the bearer orPacket Data Convergence Protocol (PDCP) layer can be IP-based. A RadioLink Control (RLC) layer then performs packet segmentation andreassembly to communicate over logical channels. A Medium Access Control(MAC) layer can perform priority handling and multiplexing of logicalchannels into transport channels. The MAC layer can also use Hybrid ARQ(HARQ) to provide retransmission at the MAC layer, to improve linkefficiency. In the control plane, the Radio Resource Control (RRC)protocol layer provides establishment, configuration, and maintenance ofan RRC connection between a wireless device 104 and the base stations102 or core network 106 supporting radio bearers for the user planedata. At the Physical (PHY) layer, the transport channels are mapped tophysical channels.

As illustrated, the wireless devices 104 are distributed throughout thesystem 100, where each wireless device 104 can be stationary or mobile.A wireless device can be referred to as a mobile station, a subscriberstation, a mobile unit, a subscriber unit, a wireless unit, a remoteunit, a handheld mobile device, a remote device, a mobile subscriberstation, an access terminal, a mobile terminal, a wireless terminal, aremote terminal, a handset, a mobile client, a client, or the like.Examples of a wireless device include user equipment (UE) such as amobile phone, a personal digital assistant (PDA), a wireless modem, ahandheld mobile device (e.g., wireless devices 104-1 and 104-2), atablet computer, a laptop computer (e.g., wireless device 104-3), awearable (e.g., wireless device 104-4). A wireless device can beincluded in another device such as, for example, a drone (e.g., wirelessdevice 104-5), a vehicle (e.g., wireless device 104-6), an augmentedreality/virtual reality (AR/VR) device such as a head-mounted displaydevice (e.g., wireless device 104-7), an IoT device such as an appliancein a home (e.g., wireless device 104-8), or a wirelessly connectedsensor that provides data to a remote server over a network.

A wireless device can communicate with various types of base stationsand network equipment at the edge of a network including macroeNBs/gNBs, small cell eNBs/gNBs, relay base stations, and the like. Awireless device can also communicate with other wireless devices eitherwithin or outside the same coverage area of a base station viadevice-to-device (D2D) communications.

The communication links 114-1 through 114-11 (also referred toindividually as “communication link 114” or collectively as“communication links 114”) shown in system 100 include uplink (UL)transmissions from a wireless device 104 to a base station 102, and/ordownlink (DL) transmissions, from a base station 102 to a wirelessdevice 104. The downlink transmissions may also be called forward linktransmissions while the uplink transmissions may also be called reverselink transmissions. Each communication link 114 includes one or morecarriers, where each carrier can be a signal composed of multiplesub-carriers (e.g., waveform signals of different frequencies) modulatedaccording to the various radio technologies described above. Eachmodulated signal can be sent on a different sub-carrier and carrycontrol information (e.g., reference signals, control channels),overhead information, user data, etc. The communication links 114 cantransmit bidirectional communications using FDD (e.g., using pairedspectrum resources) or TDD operation (e.g., using unpaired spectrumresources). In some embodiments, the communication links 114 include LTEand/or mmW communication links.

In some embodiments of the system 100, the base stations 102 and/or thewireless devices 104 include multiple antennas for employing antennadiversity schemes to improve communication quality and reliabilitybetween base stations 102 and wireless devices 104. Additionally oralternatively, the base stations 102 and/or the wireless devices 104 canemploy multiple-input, multiple-output (MIMO) techniques that may takeadvantage of multi-path environments to transmit multiple spatial layerscarrying the same or different coded data.

In some embodiments, the wireless devices 104 are capable ofcommunicating signals via the LTE network and an mmW system (e.g., aspart of a 5G/NR system). Accordingly, the wireless device 104 cancommunicate with the base station 102 over an LTE link and/or with atransmission point (TP) or base station (BS) over an mmW link. Inanother example, at least one of the base stations 102 communicatessignals via the LTE network and the mmW system over one or morecommunication links 114. As such, a base station 116 may be referred toas an LTE+mmW eNB or gNB or as an LTE+mmW TP/BS/mmW-BS.

5G Network Functions

FIG. 2 is a block diagram that illustrates an architecture of networkfunctions of a 5G network that can implement aspects of the presenttechnology. A network entity such as a wireless device 202 can accessthe 5G network via a RAN 204, through a NAN such as a gNB. Thearchitecture of the network functions 200 includes an authenticationserver function (AUSF) 216, a unified data management (UDM) 218, anaccess and mobility management function (AMF) 212, a policy controlfunction (PCF) 214, a session management function (SMF) 220, and a userplane function (UPF) 222. The PCF 214 can connect with one or moreapplication functions (AFs) 224. The UPF 222 can connect with one ormore data networks (DNs) 223. The interfaces N1 through N15 define thecommunications and/or protocols between each function or component, asdescribed in relevant standards. The UPF 222 is part of the user planeand the AMF 212, SMF 220, PCF 214, AUSF 216, and UDM 218 are part of thecontrol plane. The UPFs can be deployed separately from control planefunctions and the network functions of the control plane are modularizedsuch that they can be scaled independently.

A UDM introduces the concept of user data convergence (UDC) thatseparates the user data repository (UDR) for storing and managingsubscriber information from the frontend that processes the subscriberinformation. The UDM can employ UDC under 3GPP TS 22.101, which supportsa layered architecture that separates user data from application logicin 3GPP systems. The UDM 218 is associated with a database (not shown)that can contain profile data for subscribers and/or other data that canbe used to authenticate network entities. Given the large number ofwireless devices (e.g., IoT devices) that can connect to the 5G network,the UDM 218 contains voluminous amounts of data that is accessed toauthenticate network entities.

For example, each time that a wireless device seeks to connect to a 5Gnetwork, a UDM receives an indication of a connection request andauthorizes the connection request by authenticating the wireless deviceor associated subscriber based on profile data stored at the UDM. TheUDM can then communicates the authorization to the NAN so that thewireless device can access the 5G network through the NAN.

Cybersecurity Systems for Asymmetric Security Information

Aspects of the disclosed technology include cybersecurity systems(“systems”) that collect and/or mediate exchanges of security-relatedinformation or data between interconnected networks that supportwireless devices. In general, robust security management requiresextensive knowledge of network capabilities and vulnerabilities. Assuch, a network operator can regularly monitor, store, publish, orupdate security data online or send the security data to a system thatcurates information. The system can then selectively communicate orbroadcast the curated security information to networks.

FIG. 3 is a block diagram 300 that illustrates interconnections ofnetworks that support interworking services and/or roaming devices.Networks that are interworking are operable to support one or moreservices of the other. For example, a first network can operate aservice that a second network can access and support for subscribers ofthe first or second networks. In contrast, roaming refers to one networksupporting a wireless device of the other network. For mobile operators302-1 and 302-2, roaming devices can be classified as inbound oroutbound. An inbound roaming service allows subscribers from an operatorto access a local network and services of another operator. An outboundroaming service allows subscribers from an operator's local network toaccess the other operator's network and services.

To ensure service and roaming continuity, agreements are typicallyformed between operator networks. For example, agreements between theoperators 302-1 and 302-2 set policies to control network access forroaming subscribers and manage shared services. Roaming agreements canstipulate authentication, authorization, and billing for visitingsubscribers, and minimal safety standards. The operators 302-1 and 302-2can connect to each other directly or through an Intermediary serviceprovider 304. A direct interconnection is through public networks orprivate lines that facilitate interconnections, for example. In oneexample, the intermediary service provider 304 establishes interworkingor roaming networks through which different operator networks connect.

In operation, each of the operators 302-1 and 302-2 collects andmaintains information regarding security capabilities andvulnerabilities of network services or devices including, for example,wireless devices of respective subscribers. However, the operators 302-1and 302-2 typically do not have access to security data of the other, orat least access to the same extent of the security data. Examples ofsecurity data include a configuration of a network service or a networkdevice (e.g., subscriber's wireless device), relate to network traffic(e.g., patterns indicative of malicious traffic), authorizationinformation, authentication information, or account (e.g., charging)information, and any other data that directly impacts network securityor is indicative of a vulnerability or malicious activity. Thisinformation asymmetry results in various problems for interworkingservices, inbound roaming, and outbound roaming.

In one example, security data is collected as VRT data from theoperators 302-1 and 302-2 or is converted to VRT data before beingexchanged between networks. The security data of wirelesstelecommunications networks includes, for example, vulnerabilities andcapabilities for hardware, software, and/or services that supportnetworks and subscriber devices. For example, network capabilities caninclude different resources that monitor malicious activity. Theresources can vary by type and scale of deployment. Examples includetypes and models of network devices, version of software,configurations, and functional states. For example, one operator candeploy a monitoring tool across particular types of known vulnerablewireless devices whereas another operator can deploy a monitoring toolfor hotspots. These differences mean that roaming devices may havevulnerabilities in one network but not another.

The system can automatically adapt to security data from sourcesincluding the operators 302-1 and 302-2, vendors, and/or publiclyavailable information. The system collects network-specific securitydata including an inventory or statistics of network assets. Thesecurity data can include information about hardware, software, andconfigurations (versions, settings, etc.). In one example, vendors ofthe assets can publish information of discovered vulnerabilities incybersecurity vulnerabilities and exposures (CVEs), which are indifferent formats. The system can also collect security data from publicsources such as the National Institute of Standards and Technology(NIST)'s national vulnerability database (NVD), which receives securitydata from vendors and provides common names for identified problems. Assuch, the system can collect security data directly from networkoperators (e.g., operators 302-1 and 302-2) and through intermediarysources (e.g., intermediary service provider 304).

The system aggregates the security data in a database and/or createsindividual profiles, often made up of thousands of pieces of data, forpurposes of allowing network operators to manage the threat ofcyberattacks that result from interworking and roaming devices. In oneexample, the system can manage the security data as VRT data having acommon format. Moreover, the system can use natural language processing(NLP) along with machine learning (ML) to adaptively identifyvulnerabilities by mapping security data with network-specificinformation. The system can also include tools for classification andrisk valuation, including an estimation of a financial risk to a networkcaused by a VRT. As a result, network operators can readily query forsecurity data of other networks and identify security risks posed byroaming devices. The system can prioritize VRTs to identify certainservices of each network that require additional security protectionsand then broadcast that information to the networks. Thus, the systemcan mediate the exchange of security data to mitigate potentialcyberattacks.

To service a network, the system can search for vulnerabilities acrossdifferent networks and provide suggested updates that are applicable toone network given the security data of other networks. Because of thelack of uniformly available network-specific information, networkscannot accurately identify services or resources that need updating tosecure interworking and roaming operations. For example, a network canlearn of a connection vulnerability for an XYZ-type wireless device on ahome network and configuration information to avert the vulnerability. Anetwork may support a service for a visiting XYZ-type wireless devicewithout implementing the same connection configuration. Hence, securitymeasures for interconnected networks are uncoordinated, inconsistent,and unreliable particularly with interworking networks and for roamingdevices.

Moreover, the security data of different networks does not necessarilyhave a consistent format. In particular, the security data isnetwork-implementation specific such that implementing a common securitysolution is ineffective to implement and manage across diverse networks.For example, one network may process vulnerability information in amachine-readable format, which is often misinterpreted. On the otherhand, security data in human-readable format requires a human tomanually analyze and determine whether information is relevant to anetwork. The analyst needs to review a source of the advisory and matchthat information to interworking networks including roaming devices.Given the cost-prohibitive nature of performing human reviews, theroutine use of human analysts is cost-prohibitive for many networkoperators.

The system can classify and score VRTs to produce a number that reflectsseverity of impact on a network. The numerical score can be translatedinto a qualitative representation (e.g., low, medium, high) to help anoperator assess and prioritize VRT management processes. Based on theclassification and score, the system can update a tracker and informnetworks of specific risks. The system can repeat the same analysis toreassess VRTs and ensure that a network is informed of current updates.The system can perform an analogous analysis for each type of VRT.

The database maintains network-specific information about networksincluding, for example, device capabilities and vulnerabilities ofsubscriber devices. For example, the database can receive and storeversion data of hardware and software assets, as well as configurationinformation from networks. The network-specific information can betransferred from the database to a learning component and/or mappingcomponent. For example, the database can extract network-specificinformation from tables on a periodic basis (e.g., once per day). Thelearning component can transform the network-specific information with amachine learning (ML) process that includes a data cleaning function,merging of different sources, and adaptive remapping.

The mapping component can adaptively map VRTs to network-specificinformation to identify any potential risk based on, for example, thetype of network asset and version described by the VRT. For example, themapping component can load the collected VRT information andnetwork-specific information to staging tables and update working tablesfor any new or changed information. The matching component matchesinformation of telecommunications assets in the vulnerabilityinformation with the network-specific information. For example, thematching component can match a device type, version, and/orconfiguration of one wireless devices in the VRT information tonetwork-specific information.

The VRT information that matches network-specific information can feed aclassification component to classify identified vulnerabilities. Theoutput of the classification component is then fed to a risk valuationcomponent to determine the scope of the risk and/or the degree of therisk due to the VRT data. The output of the risk valuation component isfed to a results database. The classification component and the riskvaluation component can transform data in accordance with an ML process.

The results of the VRT analytics are available to networks in a varietyof ways over a variety of means such as a graphical user interface(GUI). In some embodiments, the results are loaded to a cloud-baseddatabase. For example, a dashboard can provide access to the resultsdatabase. In another example, a text mining component extracts text fromthe results database for a search index that is accessible from the webGUI. As such, a network can readily access analytics information ratherthan being tasked to process vulnerability information manually.

Cybersecurity System for Interworkinq Networks

FIG. 4 is a flow diagram that illustrates a method 400 performed by acybersecurity system (“system”) that is configured to thwart acyberattack that arises due to asymmetric information betweeninterworking networks. The two interconnected networks are managed bydifferent network operators and are configured to support one or moreservices for wireless devices. A first network can operate a servicethat a second network can access and support for subscribers of thefirst or second networks. For example, a first network can be configuredto support a wireless standard (e.g., 3GPP standard) to permit awireless device to access the first network. A second network can accessinformation to borrow the service for wireless devices of the firstnetwork or the second network. In some implementations, the system isadministered by one of the interconnected networks or a third-partyservice provider (e.g., intermediary service provider 304) that cangenerate revenue by mediating the exchange of security information for afee. For example, a third-party server (e.g., not managed by theinterconnected networks) can operate one or more servers that areconfigured to collect and exchange the security information of theinterconnected networks.

In one example, the intermediary service provider can perform thedetection and prevention of a cyberattack with secured links between theinterconnected networks and the intermediary service provider. Theintermediary service provider can be located on secured physicallocation or in secured cloud network/premise (e.g., virtual network).The intermediary service provider can have redundancy to provide backupand availability in case of link failure/outage.

At 402, the system obtains security data of each of two interconnectednetworks in real-time or near real-time. The visibility of the securitydata is asymmetric between the interconnected networks, which havedifferent network operators and are configured to support one or moreservices for wireless devices. For example, the system can query each ofthe interconnected networks for information regarding a securitycapability or vulnerability of a wireless service. In response to thequery, the interworking system receives security data includingdifferent capabilities or vulnerabilities for the differentinterconnected networks. For example, the system can collect firstsecurity data of a first network and second security data of a secondnetwork. The first network has greater visibility of the first securitydata compared to the second security data and the second network hasgreater visibility of the second security data compared to the firstsecurity data.

In another example, the system can look for both real-time and non-realtime aspects, where real-time is related to immediate access forverification/detection while non-real time is related to historicinformation/patterns of the traffic, trends and predictions to addadditional layers of confirmation of attacks or misinterpretations ofattacks. The non-real-time data allows network engineers todesign/implement changes/additions/deletions of detection methods,protection methods based on changes to the vulnerability trends, andtechnology landscapes of the system

At 404, the system continuously stores security data of theinterconnected networks at one or more memories of the system inreal-time or near real-time. The system can refresh the memories withupdated security data and communicate an indication of the updatedsecurity data to the interconnected networks. For example, anintermediary system can maintain a logical memory structure for each ofthe interconnected networks, where each logical memory structure isconfigured to store capabilities or vulnerabilities of the network orits services. The system can obtain or convert the security data intovulnerability-risk-threat (VRT) information that characterizes apotential cyberattack in relation to a vulnerability parameter, a riskparameter, and a threat parameter. The vulnerability parameter relatesto a susceptibility to the cyberattack, the risk parameter relates to ascope of the cyberattack, and the threat parameter relates to a sourceof the cyberattack. For non-real-time aspects, the intermediary systemcould manage the memories and keep track of historic information fromboth networks. In addition, the networks could also keep track of theirhistoric information and feed it to the intermediary system whennecessary (e.g., to help optimize latency/parallel compute aspects tothus help the intermediary system make decisions faster).

At 406, the interworking system identifies a service of theinterconnected networks that requires a safeguard against a potentialcyberattack. The service is identified based on the security data, whichcould relate to, for example, whether the service is for a particulartype of device (e.g., Android or iOS). In one example, the serviceincludes a connection operation to establish a connection between thetype of wireless device and an interconnected network. Another exampleof a service includes a handoff operation between the interconnectednetworks. The interworking system can process the security data bycomparing capabilities of the networks relative to one or more servicesand use safeguards known to secure one network, to inform how tosafeguard the other network. For example, a second network may besusceptible to a cyberattack because of an outdated hardware or softwarecomponent that does not securely support a service of the first networkor because one network lacks a security resource of the other network.For example, a first network may implement a particular service that hasa known security vulnerability, which a second network would benefitfrom knowing when a wireless device on the second network seeks toaccess and use the particular service. In another example, the securitydata can indicate that a wireless device connected to a network througha NAN is running obsolete code or that had potentially compromisedsecurity settings.

At 408, the system determines a security parameter that relates thesecurity data to the potential cyberattack. An example of a securityparameter includes a configuration or setting to support a service.Examples of the security parameter include authentication,authorization, or account information, a setting or configuration for aservice, operation, or application to safeguard against a potentialcyberattack. The security parameter can be selected by the system basedon the security data and, in some examples, considering the currentsettings or configurations of one of the networks, or nodes within thenetwork such as a NAN. As such, a security parameter can depend oncharacteristics of a wireless service relative to different networks. Inanother example, the security parameter includes a classification of thesubscriber associated with the wireless service such as an indication ofa low, medium, or high threat.

At 410, the system communicates security information including thesecurity parameter to the interconnected networks, which, when adoptingthe security parameter, safeguard the interconnected networks againstthe potential cyberattack. The security information can include otherinformation such as an indication of the service that needssafeguarding. In one example, the interworking system can broadcast atleast an indication of security information to the interconnectednetworks, which enables simultaneous and uniform adoption as a commonsafeguard for a service.

At 412, either or both interconnected networks can process one or moreactions to safeguard against a potential cyberattack. An example of anaction includes denying or granting a service or restricting the scopeof the service for a wireless device. The action can designate atemporary effect that expires at the end of a time period. For example,the action can grant temporary permission to connect to a network (e.g.,for two hours). Another example includes monitoring network traffic of asusceptible wireless service. The actions can be related to the securityparameter that was identified based on the security data. For example,the system can identify a most frequently used (MFU) security parameteror a more recently used (MRU) security parameter. An MFU and MRUsecurity parameter may be associated with an action that is communicatedas a suggestion to a network. For example, the system can communicate anaction to a first network to mitigate the susceptibility for acyberattack when the wireless device connects or attempts to connect toa service of a second network based on actions known for MFUs or MRUs ofa second network.

Cybersecurity System for Inbound Roaming

An inbound roaming system (“inbound system”) of a wirelesstelecommunications network allows a network operator of a visitednetwork to deny or allow access to the visited network and/or determinea scope of granted access for roaming devices. The inbound system candetect, based on security data collected of the wireless device on ahome network, a potential cyberattack that is enabled by the roamingdevice. In one example, the home network maintains a UDM database thatstores subscriber profiles including security data for associatedwireless devices, capabilities, services, and the like. The home networkcan provide security information directly to the visited network orindirectly through a mediator system when queried by the visitednetwork. As such, the visited network can dynamically adapt for aroaming device based on the security information of the home network.

FIG. 5 is a flowchart that illustrates a method 500 performed by theinbound system of a visited network to thwart a cyberattack. Inparticular, the visited network can dynamically defend againstcyberattacks enabled by roaming devices. In some examples, the inboundsystem is administered by the visited network or by a third-partyservice that generates revenue by providing security information tovisited networks for a fee.

At 502, the inbound system processes a connection of a wireless deviceto roam on the visited network. For example, the inbound system canreceive an indication of a connection request or an indication of anestablished connection. The wireless device is subscribed to a homenetwork, and the home network stores security data of the wirelessdevice (e.g., VRT data). The security data is stored in a logical memorystructure per subscriber, wireless device, or groups thereof. Thelogical memory structure is configured to store capabilities orvulnerabilities in sharable profiles for networks. In one example, aprofile stores a most recent configuration of a connection of a wirelessdevice to a home network, which can be transferred to a visited networkto aid in a security configuration. In another example, the inboundsystem detects a handoff of a wireless device to a visited network fromanother network. In yet another example, the inbound system receives amessage or notification of the roaming device directly from the visitednetwork.

At 504, the inbound system queries a network resource that stores or hasaccess to security information of the wireless device. The networkresource includes a database administered by the home network or by anentity other than the home network and the visited network (e.g., athird party). For example, the inbound system can query the home networkto request security information including a security parameter that aidsin mitigating a potential cyberattack enabled by the roaming device.

The query can also include a payment of a fee in exchange for thesecurity information. The fee is an example of a condition that, in someimplementations, must be satisfied to obtain security information. Inone example, a payment for a fee is stored along with a call data record(CDR), which could be used to verify that the condition has beensatisfied. Another example includes a condition for requesting thesecurity information within a time period after the wireless deviceconnects or seeks to connect to the visited network. Limiting the timeperiod to, for example, 1 minute, can mitigate the risk that the visitednetwork is maliciously collecting security information for reasons otherthan to secure roaming on the visited network.

In one example, the system detects a vulnerability of a network based ontimestamps of protocol messages that must be communicated withinthreshold time intervals. An example includes RRC messages where aconnection request is followed by a response. The system can detect apotential cyberattack if the request/response times exceed 1-2 ms, orthere is a timing mismatched such as an acknowledgement being receivedbefore the request is communicated or a message takes too long to reacha destination (e.g., exceeds a threshold). The system could assumevulnerabilities were caused by a rogue device trying to randomlyaccess/intercept the network.

Similarly, the system can use location information associated withprotocol messages to detect a vulnerability of a network. For example,messages communicated by a roaming device are checked for their sourcelocations based on the GPS coordinates of the associated roaming device.The system assumes that the same roaming device sent two messages whentheir source locations are within a threshold distance. On the otherhand, when two messages are presumed to originate from the same roamingdevice but their respective source locations are geographically farapart (e.g., exceeding the threshold distance), the system can detectthis inconsistency as an indication of a vulnerability that, forexample, there is more than one device sending the messages (e.g., asuspected coordinated attack or another device that is impersonating theroaming device).

Examples of the security parameter include a setting or configurationfor a service, operation, or application to safeguard against apotential cyberattack. The security parameter can be selected by theinbound system based on the security data obtained from the home networkand, in some examples, considering the current settings orconfigurations of the visited network. In one example, the security dataincludes VRT data that characterizes a potential cyberattack based on avulnerability parameter that relates to a susceptibility to thecyberattack, a risk parameter that relates to a scope of thecyberattack, and a threat parameter that relates to a source of thecyberattack. As such, a security parameter can depend on an operation,capability, and/or configuration of the wireless device and the homenetwork relative to different visited networks. In another example, thesecurity parameter includes a classification of the subscriberassociated with the wireless device such as an indication of a low,medium, or high threat.

At 506, in response to the query, the inbound system receives anindication of a security parameter associated with the wireless device.The security parameter relates the security data of the wireless deviceto a potential cyberattack enabled by the wireless device when roamingon the visited network. For example, the inbound system queries adatabase administered by the home network or a third-party for aconfiguration of the home network to mitigate the potential cyberattackon the visited network. In another example, the visited network pays afee the satisfies the condition required to access the securityinformation. In another example, the inbound roaming system can exchangesecurity information between a visited network and a home network (e.g.,including capabilities or vulnerabilities of subscribers) for anadditional fee or in lieu of paying a fee to satisfy the condition.

At 508, the inbound system performs, based on the security parameter, anaction that affects roaming by the wireless device on the visitednetwork or modifies a security resource of the visited network tomitigate the potential cyberattack enabled by the wireless device. Forexample, the action can include denying or granting a connection requestto roam on the visited network, or restrict a scope of roaming on thevisited network. Another example of an action includes causing theinbound system to monitor the network traffic of the wireless devicewhile roaming on the visited network. In yet another example, the actionincludes configuring a security resource of the visited network inaccordance with a configuration of the home network. In other words, thevisited network can adopt a configuration of the home network for aroaming device. In one example, the security information can include amost frequently used (MFU) or a more recently used (MRU) securityparameter associated with the wireless device. The visited network canprioritize cybersecurity protections based on the MFU or MRU data.

At 510, the inbound system optionally stores at least a portion of thesecurity information at a local database. When the inbound systemrequires security information due to, for example, another connectionrequest for the same wireless device to roam on the same visitednetwork, the inbound system detects that the same wireless devicepreviously roamed on the visiting network. The inbound system can thenmore rapidly query the local database for security information tomitigate a potential cyberattack rather than querying the networkresource again.

Cybersecurity System for Outbound Roaming

An outbound roaming system (“outbound system”) of a wirelesstelecommunications network manages security data of subscribers. Theoutbound system can classify a home network's subscribers or associatedwireless devices that pose security risks and can make that informationavailable for visited networks that host roaming devices of the homenetwork. With this security information, the visited networks can decidewhether to grant/deny access and determine a safe scope of grantedaccess. In one example, a home network predicts or detects that one ofits subscribers will/is roaming a visited network and offers securitydata of the roaming device for purchase by the visited network. As such,the visited network can dynamically adapt based on the security data ofthe home network and/or configure the visited network accordingly.

FIG. 6 is a flowchart that illustrates a method 600 performed by theoutbound system to aid a visited network in thwarting a cyberattack. Inparticular, the visited network can dynamically defend againstcyberattacks enabled by roaming devices. In some examples, the outboundsystem is administered by the home network as a service for visitednetworks or is a third-party service to, for example, generate revenueby disclosing security information to visited networks for a fee.

At 602, the outbound system monitors security data of wireless devicesof subscribers of the home network in real-time or near real-time (or ananalogous non-real-time as described earlier regarding an inboundsystem). For example, the outbound system can intercept VRT data thatcharacterizes communications or operations of a wireless device based ona vulnerability parameter indicative of susceptibility to a cyberattack,a risk parameter indicative of a scope of the cyberattack, and a threatparameter indicative of a source of the cyberattack.

At 604, the outbound system stores the security data at a database forthe home network that is administered by the home network or thethird-party service. The outbound system maintains a logical memorystructure per subscriber, wireless device, or groups thereof. Thelogical memory structure is configured to store capabilities orvulnerabilities as a sharable profile for visited networks. In oneexample, a profile stores a most recent configuration of a connection ofthe wireless device to the home network, which can be transferred to avisited network to aid in connection configurations.

At 606, the outbound system detects that a wireless device of the homenetwork has left the home network. For example, the home network candetect a handoff to a network other than the home network andcommunicate an indication of the handoff to the outbound system. Inanother example, the outbound system receives a message or notificationof the roaming device from the visited network. As such, the outboundsystem infers that the wireless device has left the home network and issupported by the visited network.

At 608, the outbound system identifies a visited network on which thewireless device is likely to roam or is actively roaming. That is, theoutbound system can predict and/or identify the visited network on whichthe wireless device is likely to roam or is currently roaming. In oneexample, the visited network is identified based on a most recentgeographic location of the wireless device relative to when the outboundsystem detected that the wireless device left the home network.

At 610, the outbound system queries the visited network to offersecurity information including a security parameter that aids inmitigating the risk of a potential cyberattack enabled by the roamingdevice. The query can also include a request for payment of a fee inexchange for the security information to aid in mitigating the potentialcyberattack. The fee is an example of a condition that, in someimplementations, must be satisfied to disclose security information. Inone example, a payment for a fee is stored along with a call data record(CDR), which could be used to verify that the condition has beensatisfied. Another example includes a time period in which the requestwas communicated. For example, a condition can require acceptance by thevisited network within a time period after communicating the offer, tomitigate the risk that the visited network is maliciously collectingsecurity information.

Examples of the security parameter include a setting or configurationfor a service, operation, or application to safeguard against apotential cyberattack. The security parameter is selected based on thesecurity data obtained from the home network and, in some examples,considering the current settings or configurations of the visitednetwork. As such, a security parameter necessary for one visited networkmay be unnecessary for another visited network depending on anoperation, capability, and/or configuration of the wireless device andthe home network relative to the different visited networks. In anotherexample, the security parameter includes a classification of thesubscriber associated with the wireless device such as an indication ofa low, medium, or high threat.

At 612, the outbound system receives a response from the visitednetwork, which accepts the offer for the security information for thewireless device or associated subscriber. The response can include anindication that the payment was made for the security information. Forexample, the response can include a credit to the service provider ofthe outbound system by the visited network. In other example, theresponse can include information about the visited network, which can beused by the outbound system to determine and suggest a suitable oroptimal security parameter.

At 614, the outbound system communicates the security informationassociated with the wireless device to the visited network. In oneimplementation, the security information is communicated upon satisfyingthe required condition (e.g., payment of the fee). Thus, the securityinformation is based on the security data obtained from the home networkand enables the visited network to adopt a security parameter thatmitigates the risk of the potential cyberattack enabled by the roamingdevice. In one example, the security parameter enables the visitednetwork to adopt a configuration of the home network such as a mostrecent connection configuration of the wireless device used by the homenetwork. More generally, the security information can include a mostfrequently used (MFU) or a more recently used (MRU) security parameterassociated with the wireless device. The visited network can prioritizecybersecurity protections based on the MFU or MRU data.

Suitable Computer System

FIG. 7 is a block diagram that illustrates an example of a computersystem 700 in which at least some operations described herein can beimplemented. For example, components of the system 100 and componentsdiscussed with respect to FIGS. 1-6 can include or host components ofthe computing system 700.

As shown, the computer system 700 can include one or more processors702, main memory 706, non-volatile memory 710, a network interfacedevice 712, video display device 718, an input/output device 720, acontrol device 722 (e.g., keyboard and point device), a drive unit 724that includes a storage medium 726, and a signal generation device 730that are communicatively connected to a bus 716. The bus 716 representsone or more physical buses and/or point-to-point connections that areconnected by appropriate bridges, adapters, or controllers. The bus 716therefore can include a system bus, a Peripheral Component Interconnect(PCI) bus or PCI-Express bus, a HyperTransport or industry standardarchitecture (ISA) bus, a small computer system interface (SCSI) bus, auniversal serial bus (USB), IIC (I2C) bus, or an Institute of Electricaland Electronics Engineers (IEEE) standard 1394 bus (also referred to as“Firewire”). Various common components (e.g., cache memory) are omittedfrom FIG. 7 for brevity. Instead, the computer system 700 is intended toillustrate a hardware device on which components illustrated ordescribed relative to the examples of FIGS. 1-6 and any other componentsdescribed in this specification can be implemented.

The computer system 700 can take any suitable physical form. Forexample, the computing system 700 may share a similar architecture asthat of a personal computer (PC), tablet computer, mobile telephone,game console, music player, wearable electronic device,network-connected (“smart”) device (e.g., a television or home assistantdevice), AR/VR systems (e.g., head-mounted display), or any electronicdevice capable of executing a set of instructions that specify action(s)to be taken by the computing system 700. In some embodiment, thecomputer system 700 can be an embedded computer system, a system-on-chip(SOC), a single-board computer system (SBC) or a distributed system suchas a mesh of computer systems or include one or more cloud components inone or more networks. Where appropriate, one or more computer systems700 can perform operations in real-time, near real-time, or in batchmode.

The processor 702 can be, for example, a central processing unit, aconventional microprocessor (e.g., Intel Pentium processor). The memory(e.g., main memory 706, non-volatile memory 710, machine-readable medium726) can be local, remote, or distributed. Although shown as singlemedium, the machine-readable medium 726 can include multiple media(e.g., a centralized/distributed database and/or associated caches andservers) that store one or more sets of instructions 728. Themachine-readable (storage) medium 726 can include any medium that iscapable of storing, encoding, or carrying a set of instructions forexecution by the computing system 700. One of skill in the relevant artwill recognize that the machine-readable medium 726 can include any typeof medium that is accessible by the processor. The machine-readablemedium 726 can be non-transitory or comprise a non-transitory device. Inthis context, a non-transitory storage medium can include a device thatis tangible, meaning that the device has a concrete physical form,although the device can change its physical state. Thus, for example,non-transitory refers to a device remaining tangible despite this changein state.

In general, the routines executed to implement the embodiments of thedisclosure may be implemented as part of an operating system or aspecific application, component, program, object, module, or sequence ofinstructions (collectively referred to as “computer programs”). Thecomputer programs typically comprise one or more instructions (e.g.,instructions 704, 708, 728) set at various times in various memory andstorage devices in computing device(s). When read and executed by theprocessor 702, the instruction(s) cause the computing system 700 toperform operations to execute elements involving the various aspects ofthe disclosure.

Although embodiments have been described in the context of fullyfunctioning computing devices, the various embodiments are capable ofbeing distributed as a program product in a variety of forms. Examplesof machine-readable storage media, machine-readable media, orcomputer-readable media include recordable-type media such as volatileand non-volatile memory devices 710, removable flash memory, hard diskdrives, optical disks, and transmission-type media such as digital andanalog communication links.

Software is typically stored in the non-volatile memory and/or the driveunit 724. When software is moved to the memory for execution, theprocessor 702 will typically make use of hardware registers to storevalues associated with the software, and local cache that, ideally,serves to speed up execution. As used herein, a software program isassumed to be stored at any known or convenient location (e.g.,non-volatile storage, hardware registers) when the software program isreferred to as “implemented in a computer-readable medium.” A processorcan be “configured to execute a program” when at least one valueassociated with the program is stored in a register readable by theprocessor.

The network interface device 712 enables the computing system 700 tomediate data in a network 714 with an entity that is external to thecomputing system 700 through any communication protocol supported by thecomputing system 700 and the external entity. Examples of the networkinterface device 712 include a network adaptor card, a wireless networkinterface card, a router, an access point, a wireless router, a switch,a multilayer switch, a protocol converter, a gateway, a bridge, bridgerouter, a hub, a digital media receiver, and/or a repeater.

Further, the interface device 712 can include a firewall that governsand/or manages permission to access/proxy data in a computer network andtracks varying levels of trust between different machines and/orapplications. The firewall can be any number of modules having anycombination of hardware and/or software components able to enforce apredetermined set of access rights between a particular set of machinesand applications, machines and machines, and/or applications andapplications (e.g., to regulate the flow of traffic and resource sharingbetween these entities). The firewall may additionally manage and/orhave access to an access control list that details permissions includingthe access and operation rights of an object by an individual, amachine, and/or an application, and the circumstances under which thepermission rights stand.

Examples of the I/O devices 720 include a keyboard, a mouse or otherpointing device, disk drives, printers, a scanner, and other inputand/or output devices, including a display device. Examples of thedisplay device 718 can include a cathode ray tube (CRT), liquid crystaldisplay (LCD), or any display device.

In operation, the computer system 700 can be controlled by operatingsystem software that includes a file management system, such as a diskoperating system. One example of operating system software withassociated item management system software is the family of operatingsystems known as Windows® from Microsoft Corporation of Redmond, Wash.,and their associated item management systems. Another example ofoperating system software with its associated item management systemsoftware is the Linux™ operating system and its associated itemmanagement system. The item management system is typically stored in thenon-volatile memory and/or drive unit and causes the processor toexecute the various acts required by the operating system to input andoutput data and to store data in the memory, including storing items onthe non-volatile memory and/or drive unit.

The techniques introduced here can be implemented by programmablecircuitry (e.g., one or more microprocessors), software and/or firmware,special-purpose hardwired (i.e., non-programmable) circuitry, or acombination of such forms. Special-purpose circuitry can be in the formof one or more application-specific integrated circuits (ASICs),programmable logic devices (PLDs), field-programmable gate arrays(FPGAs), etc.

Some portions of the detailed description can be presented in terms ofalgorithms and symbolic representations of operations on data bitswithin a computer memory. These algorithmic descriptions andrepresentations are the means used by those skilled in the dataprocessing arts to most effectively convey the substance of their workto others skilled in the art. An algorithm can refer to aself-consistent sequence of operations leading to a desired result. Theoperations are those requiring physical manipulations of physicalquantities. Usually, though not necessarily, these quantities take theform of electrical or magnetic signals capable of being stored,transferred, combined, compared, and otherwise manipulated. It hasproven convenient at times, principally for reasons of common usage, torefer to these signals as bits, values, elements, symbols, characters,terms, numbers, or the like.

It should be borne in mind, however, that all of these and similar termsare to be associated with the appropriate physical quantities and aremerely convenient labels applied to these quantities. Unlessspecifically stated otherwise as apparent from the following discussion,it is appreciated that throughout the description, discussions utilizingterms such as “processing” or “computing” or “calculating” or“determining” or “displaying” or “generating” or the like, refer to theaction and processes of a computer system, or similar electroniccomputing device, that manipulates and transforms data represented asphysical (electronic) quantities within the computer system's registersand memories into other data similarly represented as physicalquantities within the computer system memories or registers or othersuch information storage, transmission or display devices.

The algorithms and displays presented herein are not inherently relatedto any particular computer or other apparatus. Various general purposesystems can be used with programs in accordance with the teachingsherein, or it can prove convenient to construct more specializedapparatus to perform the methods of some embodiments. The requiredstructure for a variety of these systems will appear from thedescription below. In addition, the techniques are not described withreference to any particular programming language, and variousembodiments can thus be implemented using a variety of programminglanguages.

In some circumstances, operation of a memory device, such as a change instate from a binary one to a binary zero or vice-versa, for example, cancomprise a transformation, such as a physical transformation. Withparticular types of memory devices, such a physical transformation cancomprise a physical transformation of an article to a different state orthing. For example, but without limitation, for some types of memorydevices, a change in state can involve an accumulation and storage ofcharge or a release of stored charge. Likewise, in other memory devices,a change of state can comprise a physical change or transformation inmagnetic orientation or a physical change or transformation in molecularstructure, such as from crystalline to amorphous or vice versa. Theforegoing is not intended to be an exhaustive list in which a change instate for a binary one to a binary zero or vice-versa in a memory devicecan comprise a transformation, such as a physical transformation.Rather, the foregoing is intended as illustrative examples.

Remarks

Unless the context clearly requires otherwise, throughout thedescription and the claims, the words “comprise,” “comprising,” and thelike are to be construed in an inclusive sense, as opposed to anexclusive or exhaustive sense; that is to say, in the sense of“including, but not limited to.” As used herein, the terms “connected,”“coupled,” or any variant thereof means any connection or coupling,either direct or indirect, between two or more elements; the coupling orconnection between the elements can be physical, logical, or acombination thereof. Additionally, the words “herein,” “above,” “below,”and words of similar import can refer to this application as a whole andnot to any particular portions of this application. Where the contextpermits, words in the above Detailed Description using the singular orplural number may also include the plural or singular numberrespectively. The word “or” in reference to a list of two or more itemscovers all of the following interpretations of the word: any of theitems in the list, all of the items in the list, and any combination ofthe items in the list.

While specific examples of technology are described above forillustrative purposes, various equivalent modifications are possiblewithin the scope of the invention, as those skilled in the relevant artwill recognize. For example, while processes or blocks are presented ina given order, alternative implementations may perform routines havingsteps, or employ systems having blocks, in a different order, and someprocesses or blocks may be deleted, moved, added, subdivided, combined,and/or modified to provide alternative or sub-combinations. Each ofthese processes or blocks may be implemented in a variety of differentways. Also, while processes or blocks are at times shown as beingperformed in series, these processes or blocks may instead be performedor implemented in parallel, or may be performed at different times.Further, any specific numbers noted herein are only examples such thatalternative implementations can employ differing values or ranges.

Details of the disclosed embodiments may vary considerably in specificimplementations while still being encompassed by the disclosedteachings. As noted above, particular terminology used when describingcertain features or aspects of the invention should not be taken toimply that the terminology is being redefined herein to be restricted toany specific characteristics, features, or aspects of the invention withwhich that terminology is associated. In general, the terms used in thefollowing claims should not be construed to limit the invention to thespecific examples disclosed in the specification, unless the aboveDetailed Description explicitly defines such terms. Accordingly, theactual scope of the invention encompasses not only the disclosedexamples, but also all equivalent ways of practicing or implementing theinvention under the claims. Some alternative implementations can includeadditional elements to those implementations described above or includefewer elements.

Any patents and applications and other references noted above, and anythat may be listed in accompanying filing papers, are incorporatedherein by reference in their entireties, except for any subject matterdisclaimers or disavowals, and except to the extent that theincorporated material is inconsistent with the express disclosureherein, in which case the language in this disclosure controls. Aspectsof the invention can be modified to employ the systems, functions, andconcepts of the various references described above to provide yetfurther implementations of the invention.

To reduce the number of claims, certain embodiments are presented belowin certain claim forms, but the applicant contemplates various aspectsof an invention in other forms. For example, aspects of a claim can berecited in a means-plus-function form or in other forms, such as beingembodied in a computer-readable medium. A claim intended to beinterpreted as a mean-plus-function claim will begin with the words“means for.” However, the use of the term “for” in any other context isnot intended to invoke a similar interpretation. The applicant reservesthe right to pursue such additional claim forms in either thisapplication or in a continuing application.

I/We claim:
 1. At least one computer-readable storage medium, excludingtransitory signals and carrying instructions, which, when executed by atleast one data processor of an outbound roaming system, cause theoutbound roaming system to: monitor security data of wireless devices ofsubscribers of a home wireless network in real-time or near real-time;store the security data at a database for the home wireless network;detect that a wireless device of the home wireless network has left thehome wireless network, wherein the wireless device is associated with asubscriber of the home wireless network; in response to detecting thatthe wireless device left the home wireless network, identify a visitedwireless network on which the wireless device is likely to roam or iscurrently roaming, wherein the visited wireless network is identifiedbased on a most recent geographic location of the wireless devicerelative to a point in time when the wireless device left the homewireless network, and wherein the home wireless network and the visitedwireless network are managed by separate wireless service providers;query the visited wireless network to offer security information basedon the security data of the subscriber associated with the wirelessdevice, wherein the offer is contingent on satisfying a condition by thevisited wireless network, and wherein the security information includesa security parameter for use by the visited wireless network to adapt toa risk of a potential cyberattack enabled by the wireless device roamingon the visited wireless network; receive a response from the visitedwireless network accepting the offer for the security information of thesubscriber; and upon satisfying the condition, communicate the securityinformation associated with the wireless device to the visited wirelessnetwork.
 2. The at least one computer-readable storage medium of claim1, wherein the security data includes vulnerability-risk-threat (VRT)data that characterizes the wireless device in accordance with: avulnerability parameter that relates to a susceptibility to acyberattack, a risk parameter that relates to a scope of thecyberattack, and a threat parameter that relates to a source of thecyberattack.
 3. The at least one computer-readable storage medium ofclaim 1, wherein the condition includes payment of a fee and theresponse includes the payment.
 4. The at least one computer-readablestorage medium of claim 1, wherein the condition includes receipt of theresponse within a time period after querying the visited wirelessnetwork.
 5. The at least one computer-readable storage medium of claim1, wherein the security information includes a most frequently used(MFU) security parameter associated with the wireless device.
 6. The atleast one computer-readable storage medium of claim 1, wherein thesecurity information includes a more recently used (MRU) securityparameter associated with the wireless device.
 7. The at least onecomputer-readable storage medium of claim 1, wherein the securityinformation includes a classification of the subscriber associated withthe wireless device.
 8. The at least one computer-readable storagemedium of claim 1, wherein to store the security data at the databasecomprises causing the outbound roaming system to: maintain a logicalmemory structure for the wireless devices, wherein each logical memorystructure is configured to store capabilities or vulnerabilities of oneor more of the wireless devices.
 9. The at least one computer-readablestorage medium of claim 1, wherein to detect that the wireless devicehas left the home wireless network comprises causing the outboundroaming system to: store a most recent configuration of a connection ofthe wireless device.
 10. The at least one computer-readable storagemedium of claim 1, wherein to identify the visited wireless networkcomprises causing the outbound roaming system to: receive a notificationfrom the visited wireless network on which the wireless device is likelyto roam, wherein the notification includes a request for the securityinformation.
 11. The at least one computer-readable storage medium ofclaim 1, wherein to identify the visited wireless network comprisescausing the outbound roaming system to: receive a notification from thevisited wireless network on which the wireless device is currentlyroaming, wherein the notification includes a request for the securityinformation.
 12. An outbound roaming system of a home wireless network,the outbound roaming system comprising: a data processor; and a memoryincluding instructions which, when executed by the data processor, causethe outbound roaming system to: detect that a wireless device has leftthe home wireless network, wherein the wireless device is associatedwith a subscriber of the home wireless network; identify a prospectivevisited wireless network on which the wireless device is likely to roam,wherein the prospective visited wireless network is identified based ona recent geographic location where the wireless device left the homewireless network; query the prospective visited wireless network tooffer security information of the subscriber associated with thewireless device, wherein the security information includes a securityparameter for the visited wireless network to mitigate a potentialcyberattack enabled by the wireless device roaming on the visitedwireless network; receive a response from the prospective visitedwireless network accepting the offer for the security information of thesubscriber; and communicate the security information associated with thewireless device to the visited wireless network.
 13. The system of claim12, wherein the security information includes vulnerability-risk-threat(VRT) data based on: a vulnerability parameter relates to asusceptibility to a cyberattack, a risk parameter relates to a scope ofthe cyberattack, and a threat parameter relates to a source of thecyberattack.
 14. The system of claim 12, wherein the query includes arequest for a payment and the response includes an indication of thepayment.
 15. The system of claim 12, wherein the security informationincludes a most frequently used (MFU) or a more recently used (MRU)security parameter.
 16. The system of claim 12, wherein the securityparameter includes a classification of the subscriber associated withthe wireless device.
 17. A method performed by an outbound roamingsystem, the method comprising: detecting that a wireless device has lefta home wireless network; identifying a visited wireless network on whichthe wireless device is roaming, wherein the visited wireless network isidentified based on a geographic location of the wireless device;querying the visited wireless network to offer security informationconfigured to mitigate a potential cyberattack on the visited wirelessnetwork, wherein the potential cyberattack is enabled by the wirelessdevice roaming on the visited wireless network, and wherein the offerfor security information is conditioned on payment of a fee, receiving,from the visited wireless network, a response that satisfied thecondition to accept the offer for the security information;communicating the security information associated with the wirelessdevice to the visited wireless network, wherein the security informationincludes a security parameter of the home wireless network for thevisited wireless network to adopt to mitigate the potential cyberattack.18. The method of claim 17, wherein the security information includes amost frequently used (MFU) security parameter or a more recently used(MRU) security parameter of the home wireless network.
 19. The method ofclaim 17, wherein the security information includes a classification ofa subscriber associated with the wireless device.
 20. The method ofclaim 17, wherein the visited wireless network and the home wirelessnetwork are each 5G networks.